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TECHNOLOGY: CLOUD-NATIVE 
SECURITY CONTROLS 


The requirement for breadth of coverage and 
depth of functionality is leading the consolidation 
of point tools into integrated platform modules. 


Research Objectives 


The composition of cloud-native applications is a mix of APIs, containers, VMs, and serverless functions continuously integrated 
and delivered. Securing these applications, the underlying infrastructure, and the automation platforms that orchestrate 

their deployment necessitates revisiting threat models, gaining organizational alignment, and leveraging purposeful controls. 
Additionally, as security and DevOps continue to converge, cloud security controls are being consolidated. Project teams are 
evolving from a siloed approach to a unified strategy to securing cloud-native applications and platforms. In parallel, vendors are 
consolidating cloud security posture management (CSPM), cloud workload protection (CWP), container security, and more into 
integrated cloud security suites, impacting buyer personas and vendor sales motions. 


In order to gain insight into these trends, ESG surveyed 383 IT and cybersecurity professionals at organizations in North America 
(US and Canada) personally responsible for evaluating or purchasing cloud security technology products and services. 


THIS STUDY SOUGHT TO: 


Gauge the state of organizational convergence, tool 
consolidation, and the emergence of platforms. 


Assess the current and future composition and 
environments of cloud-native apps and infrastructure. 





Vet the go-forward strategy with respect to top 
priorities, spending intentions, and approaches for 
securing cloud-native environments. 


Explore the problem space with respect to 
operational challenges and the threat landscape. 
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Containers play a leading role in a heterogenous stack deployed across single and multi-clouds with serverless functions on the horizon. Container adoption has grown appreciably over the last 
two years with serverless functions being used largely on a limited basis. The term “cloud native" can be a misnomer since the use of Kubernetes for elastic container orchestration is enabling many 
organizations to provision on-premises private clouds. 


Program maturity gaps result in inconsistency, misconfigurations, and visibility gaps. In addition to increasing cost and complexity, the use of environment-specific cybersecurity controls 
contributes to an inability to implement centralized policies. Such policies will require a clear understanding of the threat models specific to cloud-native applications and infrastructure. 
Additionally, a cloud security visibility gap has been a common refrain, one perennially headlined by the need to better understand the configuration of cloud-resident workloads and services. 


A diverse threat model is driving the need for an integrated defense-in-depth strategy. A lack of attention to IAM basics joins externally facing workloads subject to port scanning, overly permissive 
accounts targeted by bad actors, and unauthorized access to services via open ports as the most commonly detected types of cloud misconfigurations. The diversity of the threat landscape is often 
brought to bear against cloud-native applications and infrastructure, which highlights the need for an integrated defense-in-depth approach. 


The shift from a bottoms-up to a top-down approach is increasing the role of IT ops. Because different types of cloud-native controls are required for different layers of the stack and stages of the 
litecycle, multiple stakeholders are involved in defining requirements and conducting the technical evaluations. As cloud-native applications gain critical mass and become a substantial portion of 
the IT footprint, companies are merging the related security responsibilities with their central security teams. 


Automation via SDLC integration spans the application lifecycle. The need to keep pace with the elastic, dynamic nature of cloud-native applications and infrastructure makes automation a 
strategic tenet of cloud security programs. Current and planned secure DevOps use cases are being implemented across the application lifecycle by embracing both a shift-left approach and 
DevSecOps automation to provide runtime protection. 


The requirement for breadth of coverage and depth of functionality is leading the consolidation of point tools into integrated platform modules. More than half of respondents indicated their 
organizations intend to leverage integrated platforms to enable a centralized approach to securing heterogenous cloud-native applications deployed across distributed clouds in the next 12-24 
months. The broader adoption of laaS/PaaS services along with further development and deployment of cloud-native applications is resulting in an increase in cloud-native security spending. 
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Containers play a leading role in a heterogenot 
stack deployed across single and multi-clouds 
serverless functions on the horizon. 





Containers, and now serverless functions, are underpinning microservices-based cloud-native applications 


Container adoption has grown appreciably over the last two years with serverless functions being used largely on a limited basis. However, those project teams that have had containers 


deployed in production for more than two years are more likely to be using serverless functions extensively, a leading indicator of the future composition of cloud-native applications. 


Length of time production apps have run on containers. 


Less than 6 
months, 596 


More than 36 
months, 11% 





6to 11 months, 

24% 

24 to 36 months, 
20% 









12 to 23 months, 
41% 


Use of serverless in application code. 


No, and we have no 
plans to use 
serverless, 3% 


Yes, we use 
serverless 
extensively, 26% 


No, but we are evaluating 
serverless, 11% 







No, but we plan to start 
using serverless in the 
next 12-24 months, 13% 


Yes, we use serverless 
on a limited basis, 47% 


While some production 
workloads are shifting to public 
clouds, container portability 
affords location flexibility 


The term “cloud native” is a misnomer insofar 
as today’s modern applications are not 
exclusive to public cloud platforms. The use of 
Kubernetes for elastic container orchestration 
is enabling many organizations to provision 
on-premises private clouds. As such, while 
some project teams may start off deploying 
containers in a public cloud environment, 

the flexibility of container portability provides 
options going forward to deploy across hybrid, 
multi-cloud environments. 





Production server workloads in the cloud. 


Percent of production workloads run on public cloud 
infrastructure services today (N=369) 





E Percent of production workloads run on public cloud 


infrastructure services 24 months from now (N=383) 41% to 50% More than 50% 
of workloads of workloads 


Container operation location approach. 


Today (N=293) 


B 12-24 months from today (N=382) 





Our container-based applications are/will Our container-based applications 
be deployed in an on-premises data center are/will be deployed in a 
or co-location facility managed by our combination of public cloud 


organization only platforms and private data centers 






Cloud-native Security Challenges 


Program maturity gaps result in inconsist 
misconftigurations, and visibility gaps. E 
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The lack of security consistency across disparate environments highlights 
the need to evolve cybersecurity programs 


In addition to increasing cost and complexity, the use of environment-specific cybersecurity controls contributes 
to an inability to implement centralized policies. Such policies will require a clear understanding of the threat 
models specific to cloud-native applications and infrastructure. Program maturation will come with experience as 


evidenced by the percent of organizations with containers in production for more than 2 years who reported that O 
they have implemented a more robust set of automated policies. O 
of respondents 
believe their 
Maintaining security consistency across our own data center and public | i 
cloud environments where our cloud-native applications are deployed cybe E ec u / ity 
program needs to 
evolve to secure 
their cloud-native 
Lack of understanding of the threat model for our cloud-native : = 
applications and infrastructure aie applications and 
Lack of visibility into public cloud infrastructure hosting our cloud- m use of public cloud 
native applications : 
infrastructure 


Top five cloud-native app security challenges. 


Use of multiple cybersecurity controls increases cost and complexity 


Meeting prescribed best practices for the configuration of cloud-resident 
workloads and services 





report that the lack of 


access to the physical 
network and the 
dynamic nature of cloud- 
native applications and 
elastic infrastructure 
create visibility blind 
spots, making security 
monitoring challenging. 





The use of privileged accounts is the top priority for closing the cloud security visibility gap 


A cloud security visibility gap has been a common refrain, one perennially headlined by the need to better understand the 
configuration of cloud-resident workloads and services. An increase in privileged cloud credential compromises has led to a need 
to monitor the activity of these accounts for anomalies that could be indicative of an account takeover (ATO) attack. Of particular 
concern are user credentials that have administrative access to cloud and orchestration management consoles and service 
accounts that serve as the identity context for production applications. 


Most important approaches to improving security visibility for cloud-native apps. 


An audit trail of privileged user and service account activity 


Identifying workload configurations that are out of compliance, including 
those that do not adhere to industry best practices and regulatory frameworks 


Location and disposition of secrets 

Identifying software vulnerabilities 

APIs and serverless function activity 

The configuration of security groups 

The permissions associated with service accounts 
Operating system level activity 

Detecting malware 

Lateral server and container workload communication 


Anomalous activity 





The Cloud-native 
Threat Landscape "E. 
A diverse threat model is driving 


the need for an integrated 
defense-in-depth strategy. 
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Identity and access management-related issues headline a series of misconfigured cloud services with serious ramifications 


The most commonly reported types of cloud misconfigurations include those that spring from a disconcerting lack of IAM basics, such as the use of default passwords and lack of mult- 
factor authentication. These join other misconfigurations reported by respondents such as externally facing workloads subject to port scanning, overly permissive accounts targeted by 
bad actors, and unauthorized access to services via open ports. The ramifications have been serious - data compromises and the introduction of malware, including cryto miners and 
ransomware. The impact to SLAs indicates a need to automate updating infrastructure-as-code (laC) templates via cloud security posture management (CSPM) controls. 


Ten most common cloud misconfigurations in the past 12 months. 


Default or no password for access to management consoles 


Externally facing server workloads 


Overly permissive service accounts 


Overly permissive user accounts 


Externally facing web servers not protected with a web 
application firewall and/or load balancer 


Virtual machines and/or containers running as root 
Lack of multi-factor authentication for access to cloud 


and/or Kubernetes management consoles and dashboards 


Misconfigured security group permitting traffic to/from non- 
whitelisted IP addresses 


Disabled logging leading to the lack of audit trails of 
account, user, and system activity 


Open management ports 
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30% 


27% 


25% 


25% 


2 


22% 


22% 


22% 


19% 


19% 


I 
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Results of cloud misconfigurations. 


Unauthorized access to applications and data 


Remediation steps impacted service level 
agreements (SLAs) 


The introduction of malware 


The introduction of crypto-jacking malware to 
mine cryptocurrency 


The introduction of ransomware 


We were fined due to non-compliance with an 
industry regulation 


We lost data 


40% 


39% 


38% 


37% 


30% 


30% 


25% 
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A diverse range of attacks is centered on the exploitation of configuration 
and software vulnerabilities jl 


The diversity of the threat landscape is often brought to bear against cloud-native applications and infrastructure. Indeed, only 
1296 of organizations reported not experiencing any cyber incidents targeting their cloud-native apps or infrastructure over the 
past year. This highlights the need for an integrated defense-in-depth approach. Such controls will enable a focus on hardened 
configurations, automation, segmentation, and the monitoring of accounts and services. 


Cloud-native security incidents experienced in the last 12 months. 


Malware that has moved laterally to cloud workloads O N LY 1 2 Yo 


Targeted penetration attacks re D O rt h AVI nN e 


Exposed or lost data from an object store 


- not experienced 
The misuse of a privileged account, secrets, or access keys via stolen credentials | a nN att a C k O nN t h = r 
Attacks that result in the loss of data due to the insecure use of APIs C O u d - Nn at ive "2 D D S 


“Zero-day” exploit(s) that took advantage of new and previously unknown vulnerabilities 


Unauthorized access by a third party 


EN and infrastructure 
The misuse of a privileged account by an employee ( 
Exploit of a misconfigured cloud service, workload, security group, and/or privileged account ove r t h = | a St 
Exploit(s) that took advantage of known vulnerabilities 1 2 mM O nt h S 


Ransomware 


We haven't experienced an attack in the last 12 months 









The People Who Secure 
Cloud-native Environments 
The shift from a bottoms-up to a 


top-down approach is increasing 
the role of IT ops. 
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Plans to centralize and unify security by merging teams is elevating IT ops role in cloud-native security 


As cloud-native applications gain critical mass and become a substantial portion of the IT footprint, companies are merging the related security responsibilities with their central security 
teams. This evolution is driving a shift from a project-team-led bottoms-up approach to a top-down approach for greater consistency across projects and environments. 


Personnel approach to securing cloud-native apps and infrastructure. 


MH) We have different teams responsible for securing cloud-native applications, 
but we plan to merge these responsibilities 


BÉ we have already centralized and unified security responsibilty across 
all our applications and aspects of our environment 





0906 
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Group with primary responsibility of securing cloud-native apps and infrastructure. 


B IT ops 

B DevOps/application development 
Bl Security 

B Cloud center of excellence (CCoE) 
E Cloud engineering 

Bi Line-of-business application owner 


ii Shared across multiple groups 
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Selecting and procuring cloud-native security controls is an IT ops-led team sport 


Because different types of cloud-native controls are required for different layers of the stack and stages of the lifecycle, multiple stakeholders are involved in defining requirements and 
conducting the technical evaluations. With cloud-native applications serving business-critical functions, the choice of controls to protect them has become a strategic decision, a buying 
process that is now being led more often than before by IT ops or security teams. 


D 


Group that leads the 
definition of functional 
requirements. 


E DevOps/application development 
E Cloud engineering 
E Line-of-business application owner 


m Shared across groups 
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E |T ops 


B Cloud center of excellence (CCoE) 


E Security 


miis 
—v 
—X 


Group that conducts 
technical evaluation. 





\ 


Budget holders for cloud 
identity and access 
management. 


B IT ops il Security 
Bi Cloud center of excellence B DevOps/application development 
E Line-of-business application owner B Cloud engineering 


B Don't know 
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The Process 
Cloud-nat 
Automat 

spans the applica 





say automating 

the introduction of 
controls and processes 
via integration with the 
software development 
lifecycle and CI/CD 


tools is a top priority 





The automation imperative is driving the integration of security into DevOps 


The need to keep pace with the elastic, dynamic nature of cloud-native applications and infrastructure makes automation a 
strategic tenet of cloud security programs. As a result, the ability to integrate cloud-native security controls into the tools that 
manage the software development lifecycle (SDLC), including the continuous integration and continuous delivery (CI/CD) 
stages, is a must-have requirement for such products. 


Integration of security processes and controls via DevOps processes. 


We have not yet discussed how security fits 
with our DevOps processes, 4% 


We have incorporated security into our 
DevOps processes extensively, 32% 
We are evaluating security use cases that 
can be incorporated into our DevOps 
processes, 26% 





We have incorporated security into our 


We plan to incorporate security into DevOps processes in a limited fashion, 23% 


our DevOps processes, 15% 


Security practices automated via integration with DevOps. As DevSecOps use cases 
expand across the lifecycle, 
more cloud-native applications 
will be protected 


Currently automated via DevOps m Plan to automate via DevOps in the next 12-24 months 


Identify and remediate malware before deployment to production 36% 46% 


Apply runtime threat prevention controls 37% 44% Current and planned secure DevOps use 


cases are being implemented across the 
application lifecycle, from the development 
stage to build and integration into delivery 
and production, which will result in an 
increase in those production cloud-native 
applications being protected via DevSecOps 
practices. This full lifecycle approach 
embraces both a shift-left approach and 
DevSecOps automation as a means for 
runtime protection. 


Logging of all changes for compliance audits Y 45% 
Identify and remediate software vulnerabilities before deployment to production 36% 44% 
Apply controls that can detect anomalous activity 35% 45% 
Apply runtime API security controls 34% 46% 
Identify misconfigured services via laC template scanning 2% 48% 
Apply controls that capture system activity for incident response, forensics, and threat hunting 329 47% 
Identify overly permissive user and service accounts 33% 45% 
Discover and inspect APIs in source code 33% 44% 


Percent of cloud-native apps 
secured via DevSecOps 


Apply access controls to segment inter-workload/container communication access controls 32% 45% 


Composition analysis to create a “bill of materials” for a source code branch 28% 48% 


MEANS: 


Scanning of production environments for misconfigurations Ty, 39% 


2021: 24 MONTHS FROM NOW: 


38% 51% 


Identify secrets being committed and thus stored in source code repositories 30% 45% 


Code scanning 





Technology: Cloud-native 
Security Controls 


The requirement for breadth of coverage 
and depth of functionality is leading 
the consolidation of point toolsinto 
integrated platform modules. 
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Consolidation to integrated 
cloud-native security platforms 
is underway 


While many have opted for separate controls 
for separate environments and server workload 
types, there is a clear preference moving 
forward for integrated platforms to enable a 
centralized approach to securing heterogenous 
cloud-native applications deployed across 
distributed clouds. In fact, more than half of 
respondents indicated their organizations 
intend to consolidate to an integrated platform 
in the next 12-24 months. 





Preferred security controls for protecting cloud-native applications and infrastructure. 


We prefer a consolidated set of controls based on an integrated platform with coverage across 
environments (i.e., public cloud vs. on-premises) and server workload types 


Current approach 


24 months from now 


Don’t 
know, 1% 


We are evaluating consolidating to 
an integrated platform, 7% 


Plans for deploying an integrated 
platform to protect cloud-native 
applications and infrastructure. 


We plan to consolidate to an 
integrated platform in the next 
12-24 months, 53% 








We have already 
consolidated to an 
integrated platform, 
39% 


The Maturation of Cloud-native Security: Securing Modern Applications and Infrastructure 


Appreciable investments will be made to close 
the cloud security maturity gap 


The transition from remote work to the hybrid workplace is driving incremental 
adoption in laaS/PaaS services and cloud-native applications. This broader 
adoption of laaS/PaaS services along with further development and deployment 
of cloud-native applications is resulting in an increase in cloud-native security 
spending. Such investments will be made on functional modules now being 
integrated into cloud-native application protection platforms (CNAPP) headlined 
by CSPM and CWPP. The projected increase in EDR for cloud-resident workloads 
is part of broader XDR initiatives that will allow SOC teams to gain greater visibility 
into cloud-native apps and infrastructure. 


Expected cloud-native app security spending change over the next 12 months. 


WM Increase substantially BE increase slightly 


21% 52% 





0% 100% 
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Cloud-native app security controls that will benefit from increased spending. 


Cloud security posture management 


Cloud workload protection platforms 


Endpoint detection and response for cloud- 
resident workload 


Data loss prevention for object stores 


Cloud infrastructure entitlement management 


Application security testing 


Container security 


Web application firewall and/or web application 
and API protection 


API security 


Runtime application self-protection 


Micro-segmentation 


None of the above 


38% 


37% 


36% 


33% 


33% 


33% 


30% 


26% 


20% 
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TREND. 
MICRO 


Trend Micro, a global leader in cybersecurity, helps make the world safe for exchanging digital information. 
Leveraging over 30 years of security expertise, global threat research, and innovation, Trend Micro enables resilience 
for customers by providing security solutions across the cloud and IT infrastructure. Optimized for the cloud and 
designed to simplify security via automation, Trend Micro Cloud One" delivers world-class security in a single 
platform, helping you migrate to the cloud and innovate securely with compliance. 


About ESG 


Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm 
that provides market intelligence and actionable insight to the global IT community. 





The Maturation of Cloud-native Security: Securing Modern Applications and Infrastructure : 


Research Methodology 


To gather data for this report, ESG conducted a comprehensive online survey of IT and cybersecurity professionals from private- and public-sector organizations in North America 
(United States and Canada) between December 7, 2020 and December 26, 2020. To qualify for this survey, respondents were required to be IT and cybersecurity professionals 
personally responsible for evaluating or purchasing cloud security technology products and services. All respondents were provided an incentive to complete the survey in the form of 
cash awards and/or cash equivalents. 


After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were left 
with a final total sample of 383 IT and cybersecurity professionals. 







RESPONDENTS BY NUMBER OF EMPLOYEES RESPONDENTS BY AGE OF COMPANY RESPONDENTS BY INDUSTRY 
More than Financial 
20,0000r 100 to 499, 50 years, 5 years or Manufacturi 
10,000 to more, 6% 7% 10% less, 9% 
19,999, 8% 500 to 999, Retail/wholesale 
16% 
21 to 50 Technology 
years, 19% 
5,000 to 6 to 10 Healthcare 
9,999, 17% years, 28% 
Communications & media 
Business services 
1,000 to Government ES 3% 
2,499, 24% 





2,500 to 4,999, 22% 


Other 


11to 20 
years, 35% 
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